CLAIMS: 



1 . (Previously presented) A method of handling personally identifiable information, 
said method comprising: 

defining a limited number of privacy-related actions regarding said personally 
identifiable information; 

constructing a rule for each of said privacy-related actions, wherein each rule 
defines an action corresponding to an associated privacy-related action, a logical 
condition that identifies a condition under which a particular decision is generated, and a 
decision indicating a manner by which said associated privacy-related action is to be 
performed; 

creating a programming object containing a set of rules, wherein the set of rules 
comprises at least one of said constructed rules; 

associating said programming object with said personally identifiable 
information; 

processing a request using the programming object containing said set of rules, 
wherein processing said request comprises: 

determining if said set of rules includes at least one rule having an action 
corresponding to an action specified in the request, a condition that evaluates to 
"true," and a decision that indicates that the action is authorized; 

selecting a rule in the set of rules that has an action corresponding to said 
action specified in the request, said condition that evaluates to "true," and said 
decision that indicates that the action is authorized; and 

providing an output based on selecting said rule in the set of rules. 

2. (Original) The method of Claim 1, wherein said output is selected from the group 
consisting of 

authorizing said privacy-related action, 

authorizing said privacy-related action, plus specifying one or more tasks, 
and denying said request but also suggesting what must be done to have said 
request approved. 



Page 2 of 1 1 
Adler et al. - 09/884,153 



3. (Original) The method of Claim 1, wherein said output includes the specification 
of at least one additional action that must be taken. 

4. (Previously presented) A system for handling personally identifiable information, 
said system comprising: 

a processor; and 

a memory coupled to the processor, wherein the memory stores instructions 
which, when executed by the processor, cause the processor to: 

define a limited number of privacy-related actions regarding said personally 
identifiable information; 

construct a rule for each of said privacy-related actions, wherein each rule defines 
an action corresponding to an associated privacy-related action, a logical condition that 
identifies a condition under which a particular decision is generated, and a decision 
indicating a manner by which said associated privacy-related action is to be performed; 

create a programming object containing a set of rules, wherein the set of rules 
comprises at least one of said constructed rules; 

associate said programming object with said personally identifiable information; 

process a request using the programming object containing said set of rules, 
wherein processing said request comprises: 

determining if said set of rules includes at least one rule having an action 

corresponding to an action specified in the request, a condition that evaluates to 

"true," and a decision that indicates that the action is authorized; 

selecting a rule in the set of rules that has an action corresponding to said 

action specified in the request, said condition that evaluates to "true," and said 

decision that indicates that the action is authorized; and 

providing an output based on selecting said rule in the set of rules. 

5. (Original) The system of Claim 4, wherein said output is selected from the group 
consisting of 

authorizing said privacy-related action, 

authorizing said privacy-related action, plus specifying one or more tasks, 
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and denying said request but also suggesting what must be done to have said 
request approved. 

6. (Original) The system of Claim 4, wherein said output includes the specification 
of at least one additional action that must be taken. 

7. (Previously presented) A computer program product comprising a computer- 
usable medium having a computer readable program for handling personally identifiable 
information, wherein the computer readable program, when executed on a computing 
device, causes the computing device to: 

define a limited number of privacy-related actions regarding said personally 
identifiable information; 

construct a rule for each of said privacy-related actions, wherein each rule defines 
an action corresponding to an associated privacy-related action, a logical condition that 
identifies a condition under which a particular decision is generated, and a decision 
indicating a manner by which said associated privacy-related action is to be performed; 

create a programming object containing a set of rules, wherein the set of rules 
comprises at least one of said constructed rules; 

associate said programming object with said personally identifiable information; 

process a request using the programming object containing said set of rules, 
wherein processing said request comprises: 

determining if said set of rules includes at least one rule having an action 

corresponding to an action specified in the request, a condition that evaluates to 

"true," and a decision that indicates that the action is authorized; 

selecting a rule in the set of rules that has an action corresponding to said 

action specified in the request, said condition that evaluates to "true," and said 

decision that indicates that the action is authorized; and 

providing an output based on selecting said rule in the set of rules. 

8. (Previously presented) The computer program product of Claim 7, wherein said 
output is selected from the group consisting of 
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authorizing said privacy-related action, 

authorizing said privacy-related action, plus specifying one or more tasks, 
and denying said request but also suggesting what must be done to have said 
request approved. 

9. (Previously presented) The computer program product of Claim 7, wherein said 
output includes the specification of at least one additional action that must be taken. 

10. (Previously presented) The method of claim 1, wherein processing a request 
using said programming object containing said set of rules further comprises: 

identifying one or more tasks associated with said selected rule, if a decision of 
said rule indicates that said rule has associated tasks; 

adding said one or more tasks specified for said privacy-related action to a list 
data structure associated with said programming object, wherein said list data structure 
contains one or more tasks for each rule associated with said programming data structure 
that has a decision indicating that said action identified in said request is authorized; and 

returning, in said output, said list data structure associated with said programming 

object. 

1 1. (Previously presented) The method of claim 10, wherein said identifying of one 
or more tasks, adding said one or more tasks to a list data structure, and returning said list 
data structure are performed if said selected rule has a decision indicating that said action 
associated with said rule is obligated. 

12. (Previously presented) The method of claim 1 , wherein if a result of said 
determining if said set of rules includes at least one rule having an action corresponding 
to an action specified in said request, a condition that evaluates to "true," and a decision 
that indicates that said action is authorized, indicates that no such rule is present in said 
set of rules, said method further comprises: 

denying said request; 



Page 5 of 1 1 
Adler et al. - 09/884,153 



searching for one or more suggestion rules in said set of rules that have an action 
corresponding to said action specified in said request, a condition that evaluates to "true," 
and a decision that indicates that a suggestion is to be provided; and 

providing a suggestion, based on said one or more suggestion rules, indicating 
what operation needs to be performed in order for said action specified in said request to 
be authorized. 

13. (Previously presented) The method of claim 1, wherein said limited number of 
privacy-related actions define privacy-related actions that may be performed by one of a 
data subject that is identified by said personally identifiable information, a data user that 
requests access to said personally identifiable information, and a third party to which 
privacy-related notifications concerning said personally identifiable information may be 
sent. 

14. (Previously presented) The method of claim 1, wherein said programming object 
is an empty form programming object that represents a paper form that may be completed 
by a provider of said personally identifiable information. 

15. (Previously presented) The method of claim 14, wherein associating said 
programming object with said personally identifiable information comprises: 

entering said personally identifiable information into fields of said empty form 
programming object, wherein said one or more rules of said programming object are 
applied to said personally identifiable information. 

16. (Previously presented) The system of claim 4, wherein said instructions further 
cause the processor to process a request using said programming object containing said 
set of rules by: 

identifying one or more tasks associated with said selected rule, if a decision of 
said rule indicates that said rule has associated tasks; 

adding said one or more tasks specified for said privacy-related action to a list 
data structure associated with said programming object, wherein said list data structure 
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contains one or more tasks for each rule associated with said programming data structure 
that has a decision indicating that said action identified in said request is authorized; and 
returning, in said output, said list data structure associated with said programming 

object. 

17. (Previously presented) The system of claim 16, wherein said identifying of one or 
more tasks, adding said one or more tasks to a list data structure, and returning said list 
data structure are performed if said selected rule has a decision indicating that said action 
associated with said rule is obligated. 

18. (Previously presented) The system of claim 4, wherein if a result of said 
determining if said set of rules includes at least one rule having an action corresponding 
to an action specified in said request, a condition that evaluates to "true," and a decision 
that indicates that said action is authorized, indicates that no such rule is present in said 
set of rules, said instructions further cause the processor to: 

deny said request; 

search for one or more suggestion rules in said set of rules that have an action 
corresponding to said action specified in said request, a condition that evaluates to "true," 
and a decision that indicates that a suggestion is to be provided; and 

provide a suggestion, based on said one or more suggestion rules, indicating what 
operation needs to be performed in order for said action specified in said request to be 
authorized. 

19. (Previously presented) The system of claim 4, wherein said programming object 
is an empty form programming object that represents a paper form that may be completed 
by a provider of said personally identifiable information. 

20. (Previously presented) The system of claim 19, wherein said instructions cause 
the processor to associate said programming object with said personally identifiable 
information by: 
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entering said personally identifiable information into fields of said empty form 
programming object, wherein said one or more rules of said programming object are 
applied to said personally identifiable information. 
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